US11196764B2ActiveUtilityA1

Device and method for handling network attacks in software defined network

48
Assignee: SAMSUNG ELECTRONICS CO LTDPriority: Aug 16, 2017Filed: Aug 14, 2018Granted: Dec 7, 2021
Est. expiryAug 16, 2037(~11.1 yrs left)· nominal 20-yr term from priority
H04L 63/1408H04L 43/16H04L 47/2441H04L 63/1441
48
PatentIndex Score
0
Cited by
22
References
18
Claims

Abstract

The present disclosure relates to a pre-5 th -Generation (5G) or 5G communication system to be provided for supporting higher data rates Beyond 4 th -Generation (4G) communication system such as Long Term Evolution (LTE). The present disclosure provides an apparatus and a method for handling a network attack in a software defined network (SDN). The method for handling a network attack in an SDN according to various embodiments of the present disclosure includes detecting a first candidate of the network attack in a flow during a first time interval, in response to detecting the first candidate, changing quality of service (QoS) of the flow from first QoS to second QoS, detecting a second candidate of the network attack in the flow of the second QoS during a second time interval following the first time interval, and in response to detecting the second candidate, blocking the flow. The apparatus and the method according to various embodiments of the present disclosure may gradually block a network attack through multiple levels, to thus reduce the probability of determining a wrong network attack and to lower a recovery cost for network failure. Therefore, the apparatus and the method according to various embodiments of the present disclosure enable efficient network management.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method for handling a network attack in a software defined network (SDN), comprising:
 determining whether a network attack candidate is detected in the flow during at least one time interval; 
 in response to determining, changing the (QoS) of the flow to the first QoS, wherein the at least one time interval precedes the first time interval; 
 detecting a first candidate of the network attack in the flow during first time interval; 
 in response to detecting the first candidate, changing the QoS of the flow from the first QoS to a second QoS; 
 detecting a second candidate of the network attack in the flow of the second QoS during a second time interval following the first time interval; and 
 in response to detecting the second candidate, blocking the flow. 
 
     
     
       2. The method of  claim 1 , wherein detecting the first candidate comprises:
 receiving statistics information regarding a plurality of flows which comprise the flow; 
 based on the statistics information, determining a network feature of the flows; 
 generating a detection model to detect the network attack, based on the network feature; and 
 detecting the first candidate by applying the detection model to the flow. 
 
     
     
       3. The method of  claim 2 , wherein the statistics information comprises parameter values of parameters associated with the flows, and
 the parameters comprise at least one of time elapsed after a flow rule is set, time for erasing the flow rule if matching for the flow rule does not occur, time for erasing the flow rule regardless of the matching for the flow rule, a packet size of the flow rule, and a number of packets matched to the flow rule. 
 
     
     
       4. The method of  claim 3 , further comprising:
 detecting an input for selecting at least one of the parameters through a user interface (UI), 
 wherein determining the network feature comprises: 
 identifying a parameter value of the at least one parameter. 
 
     
     
       5. The method of  claim 1 , wherein the detecting the first candidate comprises:
 detecting a plurality of alerts in the flow during the first time interval; and 
 if a number of the alerts is equal to or greater than a reference number, determining that the first candidate is detected. 
 
     
     
       6. The method of  claim 5 , wherein setting at least one of a duration of the first time interval, a duration of the second time interval, and the reference number is inputted through a user interface (UI). 
     
     
       7. The method of  claim 1 , wherein the second QoS is lower than the first QoS. 
     
     
       8. The method of  claim 1 , wherein changing the QoS of the flow comprises:
 if not detecting the first candidate, increasing the QoS of the flow. 
 
     
     
       9. The method of  claim 1 , wherein a number of times of changing the QoS of the flow exceeds a threshold number, and
 setting of the threshold number is inputted through a UI. 
 
     
     
       10. An apparatus for handling a network attack in a software defined network (SDN), comprising:
 a transceiver; and 
 at least one processor operably coupled to the transceiver, and configured to:
 determine whether a network attack candidate is detected in a flow during at least one time interval, 
 in response to determining, change a quality of service (QoS) of the flow to a first QoS, wherein the at least one time interval precedes a first time interval, 
 detect a first candidate of the network attack in the flow during the first time interval, 
 in response to detecting the first candidate, change quality of service (QoS) the QoS of the flow from the first QoS to a second QoS, 
 detect a second candidate of the network attack in the flow of the second QoS during a second time interval following the first time interval, and 
 block the flow in response to detecting the second candidate. 
 
 
     
     
       11. The apparatus of  claim 10 , wherein the at least one processor is further configured to:
 receive statistics information regarding a plurality of flows which comprise the flow, 
 determine a network feature of the flows, based on the statistics information, 
 generate a detection model to detect the network attack, based on the network feature, and 
 detect the first candidate by applying the detection model to the flow. 
 
     
     
       12. The apparatus of  claim 11 , wherein the statistics information comprises parameter values of parameters associated with the flows, and
 the parameters comprise at least one of time elapsed after a flow rule is set, time for erasing the flow rule if matching for the flow rule does not occur, time for erasing the flow rule regardless of the matching for the flow rule, a packet size of the flow rule, and a number of packets matched to the flow rule. 
 
     
     
       13. The apparatus of  claim 12 , further comprising:
 an input unit for detecting an input for selecting at least one of the parameters through a user interface (UI), 
 wherein, to determine the network feature, the least one processor identifies a parameter value of the at least one parameter. 
 
     
     
       14. The apparatus of  claim 10 , wherein the at least one processor is further configured to:
 detect a plurality of alerts in the flow during the first time interval, and 
 if a number of the alerts is equal to or greater than a reference number, determine that the first candidate is detected. 
 
     
     
       15. The apparatus of  claim 14 , wherein setting at least one of a duration of the first time interval, a duration of the second time interval, and the reference number is inputted through a user interface (UI). 
     
     
       16. The apparatus of  claim 10 , wherein the second QoS is lower than the first QoS. 
     
     
       17. The apparatus of  claim 10 , wherein, if not detecting the first candidate, the at least one processor increases the QoS of the flow. 
     
     
       18. The apparatus of  claim 10 , wherein a number of times of changing the QoS of the flow exceeds a threshold number, and
 setting of the threshold number is inputted through a UI.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.